This commits adds a basic infrastructure to support Address Space
Randomization (ASR). In a nutshell, using the already imported ASR
LLVM pass, multiple versions can be generated for the same system
service, each with a randomized, different address space layout.
Combined with the magic instrumentation for state transfer, a system
service can be live updated into another ASR-randomized version at
runtime, thus providing live rerandomization.
Since MINIX3 is not yet capable of running LLVM linker passes, the
ASR-randomized service binaries have to be pregenerated during
crosscompilation. These pregenerated binaries can then be cycled
through at runtime. This patch provides the basic proof-of-concept
infrastructure for both these parts.
In order to support pregeneration, the clientctl host script has
been extended with a "buildasr" command. It is to be used after
building the entire system with bitcode and magic support, and will
produce a given number of ASR-randomized versions of all system
services. These services are placed in /usr/service/asr in the
image that is generated as final step by the "buildasr" command.
In order to support runtime updating, a new update_asr(8) command
has been added to MINIX3. This command attempts to live-update the
running system services into their next ASR-randomized versions.
For now, this command is not run automatically, and thus must be
invoked manually.
Technical notes:
- For various reasons, magic instrumentation is x86-only for now,
and ASR functionality is therefore to be used on x86 only as well.
- The ASR-randomized binaries are placed in numbered subdirectories
so as not to have to change their actual program names, which are
assumed to be static in various places (system.conf, procfs).
- The root partition is typically too small to contain all the
produced binaries, which is why we introduce /usr/service. There
is a symlink from /service/asr to /usr/service/asr for no other
reason than to let userland continue to assume that all services
are reachable through /service.
- The ASR count field (r_asr_count/ASRcount) maintained by RS is not
used within RS in any way; it is only passed through procfs to
userland in order to allow update_asr(8) to keep track of which
version is currently loaded without having to maintain own state.
- Ideally, pre-instrumentation linking of a service would remove all
its randomized versions. Currently, the user is assumed not to
perform ASR instrumentation and then recompile system services
without performing ASR instrumentation again, as the randomized
binaries included in the image would then be stale. This aspect
has to be improved later.
- Various other issues are flagged in the comments of the various
parts of this patch.
Change-Id: I093ad57f31c18305591f64b2d491272288aa0937
This patch adds support for Unix98 pseudo terminals, that is,
posix_openpt(3), grantpt(3), unlockpt(3), /dev/ptmx, and /dev/pts/.
The latter is implemented with a new pseudo file system, PTYFS.
In effect, this patch adds secure support for unprivileged pseudo
terminal allocation, allowing programs such as tmux(1) to be used by
non-root users as well. Test77 has been extended with new tests, and
no longer needs to run as root.
The new functionality is optional. To revert to the old behavior,
remove the "ptyfs" entry from /etc/fstab.
Technical nodes:
o The reason for not implementing the NetBSD /dev/ptm approach is that
implementing the corresponding ioctl (TIOCPTMGET) would require
adding a number of extremely hairy exceptions to VFS, including the
PTY driver having to create new file descriptors for its own device
nodes.
o PTYFS is required for Unix98 PTYs in order to avoid that the PTY
driver has to be aware of old-style PTY naming schemes and even has
to call chmod(2) on a disk-backed file system. PTY cannot be its
own PTYFS since a character driver may currently not also be a file
system. However, PTYFS may be subsumed into a DEVFS in the future.
o The Unix98 PTY behavior differs somewhat from NetBSD's, in that
slave nodes are created on ptyfs only upon the first call to
grantpt(3). This approach obviates the need to revoke access as
part of the grantpt(3) call.
o Shutting down PTY may leave slave nodes on PTYFS, but once PTY is
restarted, these leftover slave nodes will be removed before they
create a security risk. Unmounting PTYFS will make existing PTY
slaves permanently unavailable, and absence of PTYFS will block
allocation of new Unix98 PTYs until PTYFS is (re)mounted.
Change-Id: I822b43ba32707c8815fd0f7d5bb7a438f51421c1
Removes the following man pages:
* awk.1x -- for a version of awk we no longer have
* kermit.1x -- seems gone altogether
* macros.1x -- not useful for anyone anymore
Moves the following man pages:
* mined.1x -- Moved to minix/commands/mined/mined.1
and reformatted to use the mdoc macros instead of the
Minix macros so that it displays properly.
Removes /usr/man/man1x from the directory tree.
closes#44
Change-Id: I59b8bd54cf5cba6d188e51e99a92b36e90c275c1
With the import of Xorg, a proper separation between login-time and sub
shell-time of the environment setup is necessary.
Instead of re-developping this from scratch, I am taking the opportunity
to import the NetBSD default environment.
Change-Id: Ib6a8fbd9c2f407ccd59be57a52ef9df21c2c9ce7
We have to use SOCK_SEQPACKET instead of SOCK_STREAM for client/server
communication, because UDS does things with control messages that tmux
does not expect.
Change-Id: I3edb1875d61fb976cf6485c650f4fd4b82fa354c
/etc/profile enables by default tabcompletion, as well as emacs mode,
in order to keep the old MINIX ash behavior.
Note: The shell now refuses to source a script without a relative or
absolute path.
This means:
- '. myscript.sh' fails, while
- '. ./myscript.sh' succeeds
Change-Id: I0be89b0747bd005e4c05cadb937af86883627dc6
The bin user doesn't need an actual home folder to run the tests. As
such this account should not be used in 'su - bin'. To be noted that
'su bin' still works as expected, and allow to run the minix test set
as usual.
Change-Id: I21fd178bf3b7b28849f05ef24930b553094cc851
We used to have an account "ast" as a token to Andrew S. Tannebaum,
the creator of MINIX. The account was disable by default, with no
possible way to login.
It seems it generates more confusion than it is worth, so this removes it.
The default skeleton user profile is still stored into /etc/ast instead
of the usual /etc/skel.
Change-Id: I71818c0bb9580cdecfa9621f8693586fc48d17cb
This concerns all services, a.k.a drivers, filesystem drivers, network
(inet, lwip, uds) servers, and the system servers.
Change-Id: I626fd15c795e15af42df2d10d47fb4a703665d63
- Fix for possible unset uid/gid in toproto
- Fix for default mtree style
- Update libelf
- Importing libexecinfo
- Resynchronize GCC, mpc, gmp, mpfr
- build.sh: Replace params with show-params.
This has been done as the make target has been renamed in the same
way, while a new target named params has been added. This new
target generates a file containing all the parameters, instead of
printing it on the console.
- Update test48 with new etc/services (Fix by Ben Gras <ben@minix3.org)
get getservbyport() out of the inner loop
Change-Id: Ie6ad5226fa2621ff9f0dee8782ea48f9443d2091
* /usr/bin/strip would be replaced by a link, even when compiling
binutils.
* Updated minix-spec.h to use the correct dynamic linker, and removed
the previously used symlinks.
* Removed the patch to the builtin PATH of ld.elf_so.
Change-Id: I4dc8a7fb77a11638f5105a4e15b6c9be5add750e
- fail SEF initialization if any of the subtests failed, so that the
party invoking the "service up" can tell whether the test succeeded;
- add "nocontig" option, because VM isn't particularly good at
allocating contiguous memory;
- add "silent" option, because it floods the console otherwise;
- allow the device size to be smaller than the maximum transfer size;
- install files to installed test directory.
Change-Id: I45c818f817c11d90c5f94ae26a2fc49e36e6761e
The BeagleBone Weather cape enhances the BeagleBone's capabilities
by providing environment sensors (temperature, humidity, pressure,
and ambient light level).
The weatherstation demo is a port of the bonescript weatherstation
to Minix. It provides a nice visual display of the sensor data in
a web browser.
The code is installed to /usr/share/beaglebone/weather on 'earm'
and an embedded web server is started at boot time on port 80
when the cape is attached. Further details are provided in the
README.txt file.
Change-Id: I1596a2b66b213762ace26c0c750c8154c76b5c6e
To do so, a few dependencies have been imported:
* external/bsd/lutok
* external/mit/lua
* external/public-domain/sqlite
* external/public-domain/xz
The Kyua framework is the new generation of ATF (Automated Test
Framework), it is composed of:
* external/bsd/atf
* external/bsd/kyua-atf-compat
* external/bsd/kyua-cli
* external/bsd/kyua-tester
* tests
Kyua/ATF being written in C++, it depends on libstdc++ which is
provided by GCC. As this is not part of the sources, Kyua is only
compiled when the native GCC utils are installed.
To install Kyua do the following:
* In a cross-build enviromnent, add the following to the build.sh
commandline: -V MKBINUTILS=yes -V MKGCCCMDS=yes
WARNING:
At this point the import is still experimental, and not supported
on native builds (a.k.a make build).
Change-Id: I26aee23c5bbd2d64adcb7c1beb98fe0d479d7ada
-By adding MKGCC=yes and MKGCCCMDS=yes on the make commandline
it is now possible to compile and install GCC on the system.
Before doing this, if you are not using the build.sh script,
you will need to call the fetch scripts in order to retrieve
the sources of GCC and its dependencies.
-Reduce difference with NetBSD share/mk
Move Minix-specific parameters from bsd.gcc.mk to bsd.own.mk,
which is anyway patched, so that bsd.gcc.mk is now aligned
on the NetBSD version.
-Clean libraries dependencies, compiles stdc++ only if gcc is
also compiled (it is part of the gcc sources)
-Correct minix.h header sequence, cleanup spec headers.
-Fix cross-compilation from a 32bit host targeting MINIX/arm
Change-Id: I1b234af18eed4ab5675188244e931b2a2b7bd943
- Enable installing binutils from the base system.
- Import texinfo which is required for the binutils tools
to be compiled.
- Also adapted the fetch rules to correctly generate the
gitignore files for gcc, and allow the case of multiple
modules in the same directory, as found in gnu/dist.
Warning: This patch has an entry in docs/UPDATING
Change-Id: Ib781734e8fd7f9c6265fa65d62ba2cf3fccbc5ba
A few symlinks were pointing to a nonexistent file named '(null)'
instead of their intended target. This was only seen when using the
arm_sdimage.sh script.
There is two ways of specifying links and directories. the first one
using an entry in one of the mtree files, and the second one in
/etc/Makefile.
Those entries where doubled, and one of them would specify some rights,
while the other had the target.
By removing those entries, I make sure there is only one definition of
these symlinks, which solves the problem I was seeing on an ARM image.
These symlinks are still present on a generated system, as they are
required.
Change-Id: I9ced8860f72d7c4d686a09720de4d8257d6e04fa
Install /home/ast and /home/bin as part of the system build procedure,
as the setup script is not ran on the arm image.
/home/bin is needed for successful completion of our test suite.
This patch does not change the setup script, as it is not bothered by
those files/directiories being already there, and may be useful during
reinstallation on intel systems.
Change-Id: I358c881df09223c343442673aa0822937f9ea33c
LSC: Small correction, using the group name is not secure in cross-build
setups, replaced by the numerical gid to ensure proper operation.
Change-Id: I7657b77f29eaa513fe24d8c4e2eb6de9afd53950
With the build system upgrade, the list of system directories was
recreated, and the sticky bit was forgotten.
Change-Id: Ie2f2241734dde9f1e217cd38588296dc21d07b81
The tested targets are the followgin ones:
* tools
* distribution
* sets
* release
The remaining NetBSD targets have not been disabled nor tested
*at all*. Try them at your own risk, they may reboot the earth.
For all compliant Makefiles, objects and generated files are put in
MAKEOBJDIR, which means you can now keep objects between two branch
switching. Same for DESTDIR, please refer to build.sh options.
Regarding new or modifications of Makefiles a few things:
* Read share/mk/bsd.README
* If you add a subdirectory, add a Makefile in it, and have it called
by the parent through the SUBDIR variable.
* Do not add arbitrary inclusion which crosses to another branch of
the hierarchy; If you can't do without it, put a comment on why.
If possible, do not use inclusion at all.
* Use as much as possible the infrastructure, it is here to make
life easier, do not fight it.
Sets and package are now used to track files.
We have one set called "minix", composed of one package called "minix-sys"
Bumping libc files for unsupported architectures, to simplify merging.
A bunch of small fixes:
* in libutil update
* the macro in endian.h
* some undefined types due to clear separation from host.
* Fix a warning for cdbr.c
Some modification which were required for the new build system:
* inclusion path for const.h in sconst, still hacky
* Removed default malloc.c which conflicts on some occasions.
building defaults to off until clang is updated.
current clang does not handle -shared, necessary to change the ld
invocation to build shared libraries properly. a new clang should be
installed and MKPIC defaults to no unless the newer clang is detected.
changes:
. mainly small imports of a Makefile or two and small fixes
(turning things back on that were turned off in Makefiles)
. e.g.: dynamic librefuse now depends on dynamic
libpuffs, so libpuffs has to be built dynamically too
and a make dependency barrier is needed in lib/Makefile
. all library objects now have a PIC (for .so) and non-PIC
version, so everything is built twice.
. generate PIC versions of the compat (un-RENAMEd) jump files,
include function type annotation in generated assembly
. build progs with -static by default for now
. also build ld.elf_so
. also import NetBSD ldd
